Associate feature: Who keeps your organisation secure?

BT's Amy Lemberger argues that having the right security in place to protect your organisation is no longer just an option. It is a necessity.

Here are some figures to keep in mind as you consider your organisation's cyber security:

In July 2016, the UK's National Crime Unit found that cyber crime had overtaken traditional crime for the first time

There are 700 DDoS attacks per day in the UIK – that’s 29 an hour and an attack every 2 minutes

Over half of organisations with 3,000+ employees placed keeping up with security changes as the number one priority

And 60% of IT decision makers say they are going to increase spending in cyber security

The importance of our people

At BT, we block 14 million unauthorised connection attempts a day on our network, manage over 100,000 devices in 180 countries and protect 6,000 buildings. Maintaining good security in a global organisation like ours is absolutely critical – no question. But it is difficult without the right people doing the right jobs.

Security Operations is still a growth area. Over the last 5 years I’ve watched our operation triple in size and it’s not stopping. My own team grew from 4 to 15 people over 12 months. Technology and tools can go so far but a good analyst is essential for bringing it all together.

When faced with disparate data sets and challenging timescales, this area is all about turning data into actionable information, making key and critical decisions, executing and doing, all of this at the pace of the incident.

So, how do I find these people?

What do I look for? And when I have found them how do I keep them?

I am a huge advocate of Simon Sinek’s sentiment in his book, Start with Why - ‘You don’t hire for skills, you hire for attitude. You can always teach skills.’ When I look at a person I won’t discount them simply because they don’t have the right qualifications. Yes experience is important, but how can you get experience if no one recognises you have the passion and right aptitude for a security based, analytical role?

Working in the security department, you’re in a position of absolute trust. You must be willing to hold yourself, and those around you accountable to policy and standards. You need to be able to act as a security role model for non-security professionals around you. You also need to be able to reflect on your decisions, was it right, could I have done it better? I look for people who can demonstrate that ability.

Security Operations is in a constant state of change, with new threats and intelligence to action each day. Therefore I need people with the ability to deal with these changes with minimal impact to themselves. On top of that I need them to be able to adapt themselves and their response based on the situation or incident they are responding to.

Finally, with current wave of DevOps led improvements, it’s desirable to be able to see what future capabilities will be needed to stay one step ahead of our adversaries.

I want all of this whilst facing a skills shortage in the security industry.

Surely I am asking too much?

I don’t think so. Security is seen as a differentiator in many business strategies and is now recognised as a necessary Board level conversation. Why wouldn’t great minds want to be part of this movement?

What we need to do, as leaders, is understand how to create an environment that these people want to be part of. Skilled people can choose where they work, it is their market, not ours.

Incentives to keep highly engaged people are imperative. We partner with the National Cyber Security Centre (NCSC) as a member of their joint industry task force; the Fusion Cell. This means I supply a person to support national cyber initiatives. I see this as a great development opportunity for our best and brightest.

Internal knowledge about an organisation as large as BT needs to be developed to successfully secure our network. This actually takes a lot of time so it’s important to retain and develop talent who possess this knowledge. Therefore I am keen to lay down a career path in BT. This is another way of keeping people interested as they understand they are being invested in for their future as well as BT’s. And with BT’s commitment to building a culture of tech literacy in the UK and preparing young people for the workplaces of the future, the next generation will be primed for the digital world. Find out more here.

Finally, as many leaders understand, a major piece to the retention puzzle is giving them a purpose. Again, in Start with Why Simon Sinek states ‘People don’t buy WHAT you do, they buy WHY you do it.’ I think this is true, and security has a very powerful why. Setting my team’s purpose starts and finishes with protecting one of the largest and most complex networks in the world.

Why do we do that? Simple. We bring technology and communications to millions of customers, we protect global companies who move traffic across our network and we provide entertainment services to the world. That’s an enticing target for our adversaries. And being part of the team that keeps them at bay is both challenging and rewarding.